Skip to main content

Selling your corporate password? You may want to think twice

A recent report in many of the CIO/CSO magazines claims that the astonishing results from a recent survey by Vanson Bourne, an independent research firm, claiming that about one out of every four employees would be willing to sell their company password to an outsider.

While those 25 per cent would be willing to make a buck by selling access to the information, the majority of responders said they’d need serious coin to make the transaction, asking from $1,000 or more for the credentials. Some would do so for as little as $100.

While much has been published recently about a wide variety of technologies looking to do away with passwords, such as the Amazon’s “selfie” password and Microsoft’s “hello” facial recognition, these technologies are still a long way from being widely adopted and readily available for use, so organisations still need to focus on mitigating password issues.

The survey also points out that most users would change their password shortly after receiving the money. Even so, it still opens companies up to huge security risk that should be mitigated as soon as possible. Let’s take a look at some of the options that are available to companies today with a minimal cost, while vastly reducing the risks associated with the single point of failure known as the password.

The most common technology in use today is two-factor authentication (2FA) or two-step verification. This type of password solution is often utilised by banks to secure client access, by Google to authenticate users to Gmail and by many other web applications. The idea is that when a log-in is detected from an unknown device, such as a laptop or smart phone, a one-time PIN is sent, typically via SMS, that must be provided before a user gains access to the application or website. The technology exists today to apply this same solution to the network login. The idea here is to supplement the password with another factor, in this case, a PIN delivered to a user’s mobile device.

Two-factor authentication or verification can also utilise other technologies besides a PIN. The US government makes extensive use of ID cards to ensure secure logins. A card reader, with the user’s ID badge, a proximity type card, must be present to gain access to the web portal that provides many services to military personnel. This was recently supplemented to allow a one-time use PIN, delivered via email, in cases where a badge reader or the ID were not readily available.

Secure ID tokens have been in use for years and are another quick and relatively inexpensive option to increase security. Two basic types exist: one generates a random code on a regular basis that must be provided at the time of login and the other is a USB dongle that must be attached to the computer to access the network. In reality, these both are just another form of 2FA – something the user knows (the password) and something they have (token or PIN).

Beyond 2FA is multi-factor or contextual-based authentication, also sometimes referred to as risk based authentication. In these cases, scenarios are created for individual users; factors such as time of day, IP address, type of network connected to, etc. If a certain number of these parameters fall outside the norm for that user, access can be immediately denied. To accommodate unique situations, users can request access outside the norms in advance, for a specific period of time. These requests can be then evaluated by managers and/or IT staff to determine if the request is appropriate.

As an example, I normally work 9 am. to 6 pm. Eastern from my desktop machine on the company Ethernet, but for the next few weeks I will be travelling in Europe and accessing the network from my tablet on Wi-Fi anywhere between 2 to 5 p.m. Eastern, allowing for the time difference. I can make that request prior to my trip and since my manager knows I will out, he can approve the access for the two-week period.

Regardless of the technology utilised, companies of all sizes must do something in the near term to protect themselves from disgruntled employees willing to sell the keys to the kingdom for as little as $100.

Dean Wiech is managing director of Tools4ever US

Image Credit: m.jrn / Shutterstock